Identity
description
Transcript of Identity
Identitypresented by
Patrick Burke and Christian Loza
Introduction
The Internet has changed the way we do business forever.
In the cyberspace, our Identity has changed too, and a Digital Identity has emerged.
Identity can be defined as a set of characteristics that uniquely identifies us (or a digital entity)[1].
Introduction
CONCEPTS Identity: Set of characteristics that identifies a
given entity. Identification: Recognizing someone as a
specific individual. Authentication: Process to make sure the
Identification is valid. Authorization: Set of resources given to a
certain entity, based on the identity.
Introduction
In the physical world, users can be identified by physical characteristics, such as hair color, height, skin color, etc.
In the Internet, users are identified by set’s of information, such as SSN, Name, Credit Card number, Address, Phone number, etc.
Introduction
Most of the services has gone to the Internet Electronic Commerce Electronic Government Electronic Learning Electronic Marketing Electronic Publishing
Introduction
To interact in the Internet with this service providers, the people use their Digital Identity.
Introduction
One of the drawbacks from human centric electronic interactions is the fuziness of the image of the other partner over the network
?
Introduction
Ensuring security and privacy in a distributed communication system as the Internet is crucial.
Crimes related to Identity theft have become a major treat to the growth of the commerce over the Internet.
Introduction
Identity-related misuse and concerns[2]
Identity theft: Someone wrongfully obtains and uses other person’s personal data in some way that involves fraud or deception[3].
Malicious change of Information: Someone changes wrongfully personal information of somebody else or to himself to do harm or self benefit.
Secondary use: Somebody impersonates someone else for personal benefit.
And the list keeps growing
Federated IdentitySome facts
Below are some institutions and people believed to be victim’s of Identity theft.
Bill Gates CIA, NASA, Justice Department Wells Fargo Bank of America Ebay UNT?
Problem Definition
The Identity has bring more complexity to the business model
Any person may be using now multiple identities to access multiple services providers on the Internet
Multiples identities mean also redundant costs and increasing problems
Problem Definition
One of the technologies that has emerged to solve the increasing complexity of Identity management across multiple organization is the Federated Identity
Problem Definition
Federated Identity is a digital credential analogous to a country passport[4]
Trust negotiation model: Is the gradual interchange of credentials between two entities, with the goal to establish Trust, and finally exchanging resources
Our task is to review proposals of designs of an efficient scheme of such Federation interchange
Problem Definition
Different sets of information from the Identity may be needed by different organizations
Federated Identity
A
NameAddressPhone NumberPO BoxSSN
B
NameAddressPhone NumberPO BoxSSNCredit CardBilling Address
C
NameAddressPhone NumberPO BoxSSNCredit CardPassport Number
A
NameAddressPhone NumberPO BoxSSN
B
Credit CardBilling Address
C
Passport Number
Federated IdentityCredentials negotiation
Disclosure policies Credentials combinations are required for
disclosure of sensitive information Negotiation between User and Service
Providers, and among Service Providers.
Federated IdentityScalability
KEY CONCEPTS for Scalability of Federated Identity
Has to work with Browser as the client side software
Centralized Approach Identity or Capability-based credentials
Federated IdentityScalability
Federated IdentityPrivilege management
Both, Federated Identity and Privilege Management are cornerstones of a Management Framework
A mechanism for Federated Identity and Privilege Management should satisfy at least eight requirements:
Federated IdentityRequirements
1. SSO Single sign onPersistency of user identity across the enterprise domains, and allows user to transfer their authorizations across multiple points of policy enforcement
2. Effective access controlThe access control should be fine grained to dynamically evolve enterprise resources.
Federated IdentityRequirements
3. Decentralized modelThe system should not rely on a centralized access point, instead, should be distributed
4. Authentication for estrangersIn the new distributed Internet environment, there is no more the concept of advanced knowledge of identities or capabilities.
Federated IdentityRequirements
5. Trust, Anatomy and PrivacyPrivacy protection is becoming an increasing concern, both from social and legal perspective. Is a compromise, since avoiding name-binding, complicates trust establishment.
6. Standardized ApproachThe solution should has the capability to be integrated with other systems, using existing accepted standards.
Federated IdentityRequirements
7. Browser BasedNobody wants to install client side applications
8. Technologies issuesCookies and JavaScript are been used. Nevertheless, they have been proved to be a security problem, even though, they are better than the other options
Federated IdentityIdeal Scheme
1. Request page2. Auto redirect
3. Redirect
4. Request credentials
5. Login
6. Redirect w/tickets in header
7. Request pagew/credentials
8. Set ticket
Federated IdentityExamples
MSN Passport Developed by Microsoft
Kerberos Developed by MIT
X.509 Network Working Group Certificate Management Protocol
RBAC Research Proposal
Federated IdentityMSN Passport
1. Request page2. Auto redirect
3. Redirect
4. Request credentials
5. Login & passport
6. Redirect w/tokens in header
7. Request pagew/credentials
8. Set cookie
Federated IdentityMSN Passport
Centralized Model Credentials and no Tickets Used to authenticate users of Hotmail and
MSN Messenger. Other users include Zurich, GMAC
The biggest Federated Identity system is Passport, from Microsoft
Federated IdentityMSN Passport
Process 3.5 billion authentications each month Uses XML as the core Uses SSL The Passport requires triple DES keys with
each organization. The keys must be generated securely, and
given to the merchants out of band. Some keys were broken because the poor
randomness of the keys generated
Federated IdentityMSN Passport - Problems
Centralized point of attack, against the distributed nature of Internet. Vulnerable to DoS attacks
Due to the cookies architecture, a Service can impersonate MSN Passport and delete all the cookies in the clients (used to DoS attacks).
JavaScript and cookies technologies have been proved to be insecure technologies.
Federated IdentityMSN Passport - Problems
Bugs have a great Impact MSN found problems many times, bringing down
all services depending on Passport One example was a failure on the Password
resetting mechanism
Federated IdentityKerberos
1. Request page2. Auto redirect
3. Redirect
4. Request credentials
5. Login
6. Redirect w/tokens in header
7. Request pagew/credentials
8. Set ticket
Symmetric
Federated IdentityKerberos
Developed by MIT’s project Athena Allow mutual authentication and secure
communications over the network Uses symmetric key encryption, and
authentication credentials Authentication credentials are based on
identity, and are suited for access control lists. Main problem for Identity Management are centralization, and name biding.
Federated IdentityKerberos - Problems
Kerberos is Identity Based, which gives problems for scalability. Key concept: avoid name-binding
Suitable for access roles. Nevertheless, symmetric keys are not suited for Federations and Distributed Identity Management
Federated IdentityX.509
1. Request page2. Auto redirect
3. Redirect
4. Request credentials
5. Login
6. Redirect w/tokens in header
7. Request pagew/access privileges
8. Set privileges
3. RedirectAsymmetric
Federated IdentityX.509
X.509 is a Certificate Scheme for Authentication
Based on Public Key Infrastructure (PKI) The Access Control Credential is called
Attribute Certificate Asymmetric authentication Integrated approach of Authentication and
Authorization
Federated IdentityX.509 Problems
Integrated approach of Authentication and Authorization, which is, not good in all contexts.
This is because not all the system-specific capabilities may be know in advance.
Access control credentials is not sufficient to meet effective Access Control requirements. Key concept: Not Scalable
IdentityRole-Based Access Control (RBAC)
Current Enterprise solutions employ a combination of physical security, passwords, and Role-based Access Control to ensure the identity of a user
Physical security and passwords protect the system from intrusion.
Role-based Access Control limits access to documents and data based on a “need to know” basis
IdentityRole-Based Access Control (RBAC)
Access rules are established with sets of access pairs which associate users and their corresponding permissions:
(user, permissions)
While RBAC is supported by many specific application packages (Oracle and Sybase, for example), the method will be described with a brief look at XML
Federated IdentityXML Public Protocols
SAML (Security Assertion Markup Protocol) XML based Avoid limitations of cookies SSO Interoperability: Different implementations
can be compatible Web Services: Suited to work on browser
environments Federations: Can simplify Federation usability
Federated IdentityXML-Based Doc Security
X-Sec [5] is one notional XML-Based control system with the following component:
Credential-types (ct) – defined user type definitions Example: manager, customer, carrier (nct, Pct) where n is the name of the credential and P is
the set of property specifications for the ct.
XML credential-type and corresponding graph representation [5]
XML-Based Doc Security
X-Sec Components (cont) Credential – an instantiation of a credential-type
Specifies the set of properties values characterizing a given subject against the credential-type itself
Physical credentials are certified by the credential issuer
XML credential and corresponding graph representation [5]
XML-Based Doc Security
X-Sec Components (cont) Security Policy Base Template – Specifies
credential-based security policies based on enterprise protection requirements Documents to which the policy applies Portions of documents within target documents Access Modes Propagation mode for the policy
XML-Based Doc Security
X-Sec Components (cont) Security Policy Base Instantiation Example (below)
Secretaries in sales can access and modify all purchase order documents
UPS employees can access information about the customer, carrier, and order id.
XML-Based Doc SecurityAssessment
PRO:
Highly available in commercial products
Easy to set up
Training is readily available
Highly effective in a CLOSED and TRUSTED environment
CON:
Often difficult to REMOVE users
Impractical in an open user environment
Not a long-term Internet solution
Passwords can be stolen, resulting in unauthorized access
Periodic password changes make remembering passwords difficult
Left to their own devices, people tend to choose passwords that are easy to guess
Biometrics
DEFINITION Any and all of a variety of identification techniques which
are based on some physical, or behavioral characteristics of the individual contrasted with the larger population. Unique digital identifiers are created from the measurement of this characteristic.
Physiological Biometrics Fingerprints, hand and/or finger geometry, eye (retina or iris),
face, and wrist (vein) Behavioral Biometrics
Voice, signature, typing behavior, and pointing
Biometrics
OVERVIEW User digital template is created during an
“enrollment period” and stored in a database On attempted verification, the relevant template
is extracted, compared with the data input ATM card is still required to point at the correct
digital template Verification is based on statistical techniques of
comparison between the two
Biometrics
Some devices to use Biometrics
Benchmarks
The eight points can be used to measure if an Identity Management Protocol is suited for scalability and Federated use.
Browser features can be used as a metric: Use of cookies, use of JavaScript, use of XML
BiometricsBenchmarks
BENCHMARKS for Biometrics Template size Speed of enrollment False Accept Rate False Reject Rate
BiometricsBenchmarks
PRO When it works, it works best
Generally acceptable in controlled group settings
ASSESSMENT
CON Bad user perceptions
May be misused May harm eyes
Input quality degrades with age
Unacceptable False Reject Rates
17% - facial 10% - finger swipe
Conclusions
Identity is a key issue on Next Generation Internet
Any new or already proposed scheme for Identity Management should address the eight points exposed at least
All the Identity Management should work with a Browser in the client side
Conclusions (cont)
Identity Management paradigms that ensure “you are you,” as opposed to “you are who you say you are” are absolutely critical to the future of e-commerce and electronic information sharing
Federal Identity can only be successful if the services are decentralized
Not an easy task
Conclusions (cont)
Access control systems will continue to provide enterprise solutions for controlled areas for the foreseeable future
Biometrics appears to be the only real solution on the horizon, but it is not yet reliable enough for use in the general world population.
Sources
Images and icons from http://www.kde-look.org
Icons from CISCO SYSTEMS http://www.cisco.com/warp/public/503/2.html#pkt
Photo on slide 7, from Wikipedia, http://en.wikipedia.org/wiki/Kevin_mitnik
References
1. Toby Baier, Christian Zirpins, Winfried Lamersdorf, “Digital Identity: How to be someone on the Net”
2. Peter G. Neumann, “Identity-Related misuse”, Communications of the ACM.
3. US Department of Justice (USDOJ). (2000, June). “Identity theft and fraud”. Retrieved July 1, 2004, from the World Wide Web: http://www.usdoj.gov/criminal/fraud/idtheft.html
4. E. Bertino, A.Bhargav-Spantzel, A.C.Squicciarini, “Digital Identity Management and Trust Negotiation”, CERIAS, Purdue University, University of Milan, Milan, Italy
References
5. E. Bertino, S. Castano, E. Ferrari. “On Specifying Security Policies for Web Documents with an XML-based Language, SACMAT’01, May 3-4, 2001, Chantilly, Virginia
6. L. Coventry, A. DeAngeli, G. Johnson. “Usability and Biometric Verification at the ATM Interface”. CHI 2003, April 5-10, 2003, Fort Lauderdale, FL.